Lucene search
+L

1282 matches found

ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-46687

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from apicontroller.php without validation, and logcontroller.php later checks fileexists and calls include View::getView$template, allowing an...

7.7CVSS6.2AI score0.00177EPSS
Exploits0References2Affected Software1
Nuclei
Nuclei
added yesterday50 views

Aquatronica Controller System <= 5.1.6 - Information Disclosure

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...

9.3CVSS6.1AI score0.01443EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday50 views

WordPress Restrict User Access <= 2.5 - Cross-Site Scripting

WordPress Restrict User Access – Membership Plugin with Force versions before 2.6 is vulnerable to Reflected Cross-Site Scripting via the 'ruasection' parameter in the admin level edit page. id: CVE-2024-29138 info: name: WordPress Restrict User Access = 2.5 - Cross-Site Scripting author: Shivam...

7.1CVSS7AI score0.00622EPSS
Exploits0References3
Cvelist
Cvelist
added yesterday19 views

CVE-2026-15651 WP TripAdvisor Review Slider <= 14.6 - Authenticated (Administrator+) SQL Injection via 'filtersource' Parameter

The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to generic SQL Injection via the 'filtersource' parameter in all versions up to, and including, 14.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

4.9CVSS0.00288EPSS
Exploits0References6
NVD
NVD
added 6 days ago15 views

CVE-2026-15097

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00201EPSS
Exploits0References6
Snyk
Snyk
added 2026/07/08 9:0 p.m.5 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00319EPSS
Exploits0References2
CBLMariner
CBLMariner
added 2026/07/08 4:2 p.m.5 views

CVE-2026-53013 affecting package kernel for versions less than 6.6.143.1-1

CVE-2026-53013 affecting package kernel for versions less than 6.6.143.1-1. An upgraded version of the package is available that resolves this issue...

5.5CVSS6.1AI score0.00122EPSS
Exploits0
CVE
CVE
added 2026/07/08 2:55 p.m.12 views

CVE-2026-55668

The CVE affects File Browser’s ScopedFs component prior to version 2.63.16. An authenticated user with Create and Modify permissions can trigger ScopedFs to validate the nearest existing ancestor of a dangling symlink and then follow the symlink during file creation, allowing attacker‑controlled ...

6.3CVSS6AI score0.00269EPSS
Exploits0References3
NVD
NVD
added 2026/07/08 6:16 a.m.10 views

CVE-2026-14500

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS0.00333EPSS
Exploits0References4
CVE
CVE
added 2026/07/07 8:59 p.m.26 views

CVE-2026-49229

Affected software: Actual, a local-first personal finance app. Vulnerability summary: In OpenID multi-user mode prior to 26.6.0, disabling a user blocks future OpenID logins but does not revoke existing session tokens. The shared session validation path accepts any non-expired token, allowing a d...

8.3CVSS6AI score0.00441EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/07/07 8:56 p.m.7 views

@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints

Am I affected? Users are affected if all of the following are true: - Their application uses @better-auth/sso at a version = 0.1.0, 1.6.11 on the stable line, or any 1.7.0-beta.x on the pre-release line. - The sso plugin is added to their application's betterAuth plugins: ... array. - Any user wi...

9.6CVSS6.1AI score0.00252EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.10 views

PT-2026-55863

Name of the Vulnerable Software and Affected Versions Notifications for Forms & WordPress Actions versions prior to 2.6 Description Authenticated users with subscriber-level access and above can include and execute arbitrary local PHP files on the server. This occurs because the plugin fails to...

7.5CVSS6.3AI score0.00318EPSS
Exploits0References6
NVD
NVD
added 2026/07/02 12:17 p.m.4 views

CVE-2026-57357

Unauthenticated Cross Site Scripting XSS in Search Atlas SEO = 2.6.6 versions...

7.1CVSS0.00191EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/02 11:15 a.m.9 views

CVE-2026-57357

Unauthenticated Cross Site Scripting XSS in Search Atlas SEO = 2.6.6 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/02 11:14 a.m.8 views

CVE-2026-27425

Unauthenticated Cross Site Scripting XSS in Automotive Listings = 18.6 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 10:16 a.m.8 views

CVE-2026-13459

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS0.00333EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-54978

Unauthenticated Cross Site Scripting XSS in Automotive Listings = 18.6 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 9:2 p.m.3 views

GHSA-6Q7J-XR26-3H2C Scriban: ExpressionDepthLimit guard is non-enforcing — parser-recursion DoS in 6.6.0–7.2.0 (incomplete fix for GHSA-wgh7-7m3c-fx25 / GHSA-p6q4-fgr8-vx4p)

Summary The ExpressionDepthLimit parser guard in Scriban does not actually stop parsing — it only logs a non-fatal error and lets recursive descent continue. As a result, a template containing a deeply nested expression parentheses, array initializers, object initializers, or unary operators driv...

6.9CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2026/06/26 3:32 p.m.6 views

EUVD-2026-39778

Mattermost Plugins versions =11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries...

6.8CVSS5.8AI score0.00325EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 2:52 p.m.12 views

CVE-2026-56069

This CVE concerns the WordPress Toolset Forms plugin (versions up to 2.6.24). The issue is an Unauthenticated Insecure Direct Object Reference (IDOR) in Toolset Forms, allowing access to objects without authentication. The CVSS 3.1 vector indicates network attack, low attack complexity, no privil...

7.5CVSS5.8AI score0.003EPSS
Exploits0References1
Rows per page
Query Builder